Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #14748

Re: Use-After-Free in Bash

Path csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail
From Eduardo Bustamante <dualbus@gmail.com>
Newsgroups gnu.bash.bug
Subject Re: Use-After-Free in Bash
Date Tue, 30 Oct 2018 18:19:34 -0700
Lines 17
Approved bug-bash@gnu.org
Message-ID <mailman.3143.1540948790.1284.bug-bash@gnu.org> (permalink)
References <CALQDDJ90PG3c957jWTp_XE6-h_-1OdjTpeGhFso=iYtTBfyoNg@mail.gmail.com>
NNTP-Posting-Host lists.gnu.org
Mime-Version 1.0
Content-Type text/plain; charset="UTF-8"
X-Trace usenet.stanford.edu 1540948790 27679 208.118.235.17 (31 Oct 2018 01:19:50 GMT)
X-Complaints-To action@cs.stanford.edu
Cc bug-bash <bug-bash@gnu.org>
To corbin.souffrant@gmail.com
Envelope-to bug-bash@gnu.org
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lCzyF+ttXp7dxhvB2Qff32tcjczlErLuICVb30YWP3g=; b=BF1UEnIWQX2FGCjQEQ9aH0dsjhZqcnYCQg0QbXkqnEA70mKdW3/UkVCQ0qhV8RBZjk 0toAzrh1G6DAZ45xNcw9+wWVx6wl71U9dRiM9bXTXY3r5zUtoagcTRq5QTSCcrdOy7An DOLApfDoBoy4dEqvkwclppwAnvRk1KAMRJqB2AHRjvfKI7fh52ZgGu3VDQGmuTdQb//b guMTlwi1wUmNHM8J+Y5NLiYk8YsS3gAzhBxTb2Uxeo35cn3KsBWiKSLZLiar1kVNRknj iHybF+JnXHhyStOYAN275f5iFcduIuLCFQYTtdR4U0anCcxP8dgHXOS4uu70n/GqWQFd r0JA==
X-Google-DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lCzyF+ttXp7dxhvB2Qff32tcjczlErLuICVb30YWP3g=; b=L+oeYiwBjTPLsa+m7Qsk7vOMz0GunGh7L5kCm1f8c6trP3YAU88piNO0DMFXDA6c28 2/k1PBRiDa+avUX/ByoYKvQnIMO7V8YG+KSNxxUsVvph3mgarn1HFMxRuuwm7bFFypB0 O6So3lFBCMBfkXCXy3O4QjTUipSbLmgC51pSm/kvyoaqvYxgWzhcHTUCOCdUgO7Tygkx VhLB/5vYZlcIgNHxsRBegCRAeKdeEdIo1pEgpovQNNJ1ofYZrkFoAGZwNc0k3XDEbpNW bN0GY0Lmt1En3cdERBx06pZlRPALkvnovE2OJuCHoe388vn19ZgzSVFOYZHt4cO4d47w 9Iwg==
X-Gm-Message-State AGRZ1gItG7bqQaYPFSaOFPLFXR7GKx/JxB3BQ6YQ2BbnZMarZhYo4eXf 5HYYAC/fCAJtTNtlXi0O1rb9U413iuRFezmJiEb4yw==
X-Google-Smtp-Source AJdET5eYAUQ1Om6VUtBln43h9EthPa71xtLOZc/QRcrZY/pgE7TZKm5vnAOMmKI02joPZOhhMSfPBK9BKqjqvrkSsvk=
X-Received by 2002:a2e:990e:: with SMTP id v14-v6mr668879lji.60.1540948786619; Tue, 30 Oct 2018 18:19:46 -0700 (PDT)
In-Reply-To <CALQDDJ90PG3c957jWTp_XE6-h_-1OdjTpeGhFso=iYtTBfyoNg@mail.gmail.com>
X-detected-operating-system by eggs.gnu.org: Genre and OS details not recognized.
X-Received-From 2a00:1450:4864:20::22f
X-BeenThere bug-bash@gnu.org
X-Mailman-Version 2.1.21
Precedence list
List-Id Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive <http://lists.gnu.org/archive/html/bug-bash/>
List-Post <mailto:bug-bash@gnu.org>
List-Help <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref csiph.com gnu.bash.bug:14748

Show key headers only | View raw

On Tue, Oct 30, 2018 at 1:03 PM Corbin Souffrant
<corbin.souffrant@gmail.com> wrote:
(...)
> I found a reproducible use-after-free in every version of Bash from
> 4.4-5.0beta, that could potentially be used to escape restricted mode. I
> say potentially, because I can get it to crash in restricted mode, but I
> haven't gone through the effort of attempting to heap spray to overwrite
> function pointers.

Disclaimer: I'm not a maintainer.

Did you check the `devel' branch in the git repository?

I don't think the restricted mode is really advertised as a powerful
security feature, so IMO you should be able to report it here. If
you're worried though, you can always email Chet Ramey directly.

Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread

Thread

Re: Use-After-Free in Bash Eduardo Bustamante <dualbus@gmail.com> - 2018-10-30 18:19 -0700

csiph-web